Required Firewall Rules for vMotion

This topic summarizes the firewall rules required for migration with vMotion, both in your on-premises and cloud data centers.

VMware Cloud on AWS Firewall Rules for vMotion

Ensure that the following firewall rules are configured in the VMware Cloud Console.


Use Cases	Source	Destination	Service
Provide access to vCenter from the on premises. Use for general vSphere Client access as well as for monitoring vCenter	remote (on-premises) vSphere Client IP address	vCenter	HTTPS
Allow outbound vCenter access to on-premises vCenter.	vCenter	remote (on-premises) vCenter IP address	Any (All Traffic)
Allow SSO vCenter	remote (on-premises) Platform Services Controller IP address	vCenter	SSO (TCP 7444)
ESXi NFC traffic	remote (on-premises) ESXi VMkernel networks used for NFC.	ESXi	Provisioning (TCP 902)
Allow outbound ESXi access to on-premises .	ESXi	remote (on-premises) ESXi management VMkernel networks	Any (All Traffic)
Allow vMotion traffic.	remote (on-premises) ESXi vMotion VMkernel networks	ESXi	vMotion (TCP 8000)

Ensure that the following firewall rules are configured in your on-premises firewall.


Rule	Action	Source	Destination	Service	Ports
On-premises to vCenter	Allow	remote (on-premises) vSphere Client subnet	VMware Cloud on AWS vCenter IP address	HTTPS	443
Remote to ESXi provisioning	Allow	remote (on-premises) subnet		TCP 902	902
Cloud SDDC to on-premises vCenterAllow	Allow	CIDR block for cloud SDDC management network	On-premises vCenter, PSC, Active Directory subnet	HTTPS	443
Cloud SDDC toESXi Remote Console	Allow	CIDR block for cloud SDDC management network	VMware Cloud on AWS vCenter IP address
Cloud SDDC to Remote LDAP	Allow	CIDR block for cloud SDDC management network	Remote LDAP Server	TCP	389, 636
Cloud SDDC to ESXi vMotion	Allow	CIDR block for cloud SDDC management network	Remote ESXi host subnet	TCP	8000